| Summary: | <net-libs/zeromq-4.0.5 && >=net-libs/zeromq-4.0.0: two vulnerabilities (CVE-2014-7202) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | trivial | CC: | qnikst |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://www.openwall.com/lists/oss-security/2014/09/26/21 | ||
| Whiteboard: | ~3 [noglsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 539440 | ||
| Bug Blocks: | |||
+*zeromq-4.0.5 (11 Feb 2015) + + 11 Feb 2015; Justin Lecher <jlec@gentoo.org> +zeromq-4.0.5.ebuild, + -zeromq-3.2.4-r1.ebuild, -zeromq-4.0.1-r1.ebuild, -zeromq-4.0.1.ebuild, + -zeromq-4.0.4-r1.ebuild, metadata.xml: + Version Bump, #539440; drop old, fixes two security problems, #523850; Add + SLOT operators, #511526; improve USE description, #507948 + Bumped and all vulnerable versions removed. Thanks. No stable version affected, closing noglsa |
From ${URL} : Matthew Hawn found that libzmq (ZeroMQ/C++) did not validate the other party's security handshake properly, allowing a man-in-the-middle downgrade attack. Code commit: https://github.com/zeromq/libzmq/issues/1190 Matthew Hawn found that libzmq (ZeroMQ/C++) did not implement a uniqueness check on connection nonces, and the CurveZMQ RFC was ambiguous about nonce validation. This allowed replay attacks. Code commit: https://github.com/zeromq/libzmq/issues/1191 Only ZMQ versions 4.0.x with x < 5 are affected. 4.0.5 is about to be released. @maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.